Chapter Four: Current Issues

October 22, 2009

The Internet has changed the quantity and quality of data available about individuals' lives, but in many ways business practices and laws have not progressed to protect privacy. Some companies, enlightened by survey upon survey documenting consumers' privacy concerns, have improved their practices and a few support enactment of federal legislation. The Federal Trade Commission has taken some important steps to protect privacy. Still, though, the U.S. has no baseline consumer privacy legislation. Instead, as noted elsewhere in this guide, we have a patchwork of privacy laws.

Since the terrorist attacks of September 11, 2001, Congress has passed various laws expanding government surveillance powers and federal agencies have undertaken a number of initiatives that pose serious threats to privacy. At the same time, technology changes have outpaced legal limits on government access to private data, so that more information than ever before is available to the government under very weak standards.

In this chapter we first discuss some recent controversies surrounding government surveillance and government use of data. Then we turn to debates about consumer privacy. Of course, technological and market developments that result in more information being generated about us in our daily lives may augment the potential for privacy intrusions by both corporations and governments; at the end of this chapter, we discuss several technologies that have implications for privacy in both the governmental and consumer contexts.

Government Surveillance

ECPA

The Electronic Communications Privacy Act (ECPA) was a forward-looking statute when enacted in 1986. It specified standards for law enforcement access to electronic communications and associated data, affording important privacy protections to subscribers of emerging wireless and Internet technologies. Technology has advanced dramatically since 1986, and ECPA has been outpaced. The statute has not undergone a significant revision since it was enacted in 1986 – light years ago in Internet time.

As a result, ECPA is a patchwork of confusing standards that have been interpreted inconsistently by the courts, creating uncertainty for both service providers and law enforcement agencies. ECPA can no longer be applied in a clear and consistent way, and, consequently, the vast amount of personal information generated by today’s digital communication services may no longer be adequately protected. At the same time, ECPA must be flexible enough to allow law enforcement agencies and services providers to work effectively together to combat increasingly sophisticated cyber-criminals or sexual predators.

The time for an update to the ECPA is now. A coalition of privacy advocates, legal scholars, and major Internet and communications service providers have been engaged in a dialogue to explore how the ECPA applies to new services and technologies. We have developed consensus around the notion of a core set of principles intended to simplify, clarify, and unify the ECPA standards; provide clearer privacy protections for subscribers taking into account changes in technology and usage patterns; and preserve the legal tools necessary for government agencies to enforce the laws and protect the public.

CALEA

The Communications Assistance for Law Enforcement Act (CALEA) was adapted in 1994 to ensure that new telephone network technologies and services did not interfere with law enforcement wiretapping. While Congress intended to limit the FBI's control over the telephone system, CALEA's implementation has been fraught with dangers to privacy. The FBI argued that CALEA required that telephone switches include features giving the government more comprehensive surveillance capabilities than it ever had. The Federal Communications Commission (FCC) adopted most of the FBI's wish list, rejecting privacy concerns. Despite a challenge by CDT and others to the FCC decision in the federal Court of Appeals, most of the features sought by the FBI were eventually built into telephone switching equipment.

Worse yet, in March 2004, the FBI petitioned the FCC to extend CALEA to broadband Internet access and to applications that carry voice over the Internet, often referred to as VoIP. CDT and others opposed the FBI?s request, arguing that Congress specifically intended to exclude the Internet from CALEA regulation. However, the FCC again sided with the FBI and in 2005 ruled that broadband Internet access and interconnected VOIP services were covered by CALEA.

The government conducts surveillance of Internet and telephone communications for criminal purposes and for national security or ?foreign intelligence? purposes. For intelligence surveillance, the Foreign Intelligence Surveillance Act (FISA) establishes a special, secret court, which authorizes government access to the communications of suspected spies and terrorists.

In December 2005, the President confirmed that the government had been going outside FISA and conducting warrantless surveillance on the international communications of people in the United States. A major controversy ensued, with Congressional hearings and vigorous Administration opposition to judicial oversight of its activities.

In July 2008, Congress passed a law expanding the government's ability to conduct surveillance without a warrant. The FISA Amendments Act of 2008 permits intelligence officials to conduct surveillance in the United States that targets foreigners abroad who are communicating with people in the U.S., without any suspicion that either the foreigner or the American is in any way connected to terrorism. CDT believes that the law provides insufficient protections for Americans. The law also immunizes from civil liability the telecommunications carriers that assisted with warrantless surveillance after September 11, 2001.

In response to the 9/11 attacks, Congress quickly passed the USA PATRIOT Act. While it is important to ensure that those who protect us have the necessary legal tools, the Act grants the Executive Branch broad discretionary powers that infringe on fundamental liberties. Furthermore, some of the Act's provisions are not limited to cases of suspected terrorism, but rather apply generally to criminal investigations.

Under the PATRIOT Act:

government agents can collect information about patterns of Internet and telephone usage without prior judicial authorization;

the FBI can compel the disclosure of any business records, even sensitive medical and financial records, upon the claim that they are relevant to an intelligence investigation;

agents investigating any crime can conduct "sneak and peek" searches of homes and offices without notifying affected individuals until days or weeks later;

the FBI can share grand jury information with the CIA, in essence giving the CIA the benefit of domestic subpoena powers;

the FBI can use the weaker standards of the Foreign Intelligence Surveillance Act to carry out wiretaps and secret searches in criminal cases.

On March 9, 2006, Congress reauthorized the expiring provisions of the PATRIOT Act with mostly cosmetic changes and without adequate civil liberties protections. At the end of 2009, Congress again reauthorized the expiring provisions, again without making any significant improvements to the law.

The Transportation Security Administration (TSA) is creating "Secure Flight" to screen air passengers in an effort to keep terrorists off airplanes.

In the past, TSA provided airlines with a list of the names of tens of thousands of people who may pose a threat to aviation security. The airlines compared the names of their passengers to the names on this list. If there was an apparent match, the passenger would be subjected to heightened security measures or prohibited from boarding altogether. Because the list includes errors and many common names and often lacks identifiers that would distinguish an innocent passenger from a suspected terrorist on the list, many passengers have been subjected unnecessarily to heightened security measures, missing flights and disrupting their travel.

Under Secure Flight, the airlines will provide their passenger lists, along with basic identifying data, to the TSA and TSA – not the airline – will check whether any passenger's name appears on the list. This change, while it has some benefits, does not cure the problems associated with the flaws in the government?s list of suspected terrorists. Moreover, it creates serious concerns about how long the government will retain the passenger data provided to it by the airlines.

In an important exercise of checks and balances, Congress placed various limits on Secure Flight and required TSA to come up with a "redress" procedure to enable passengers who are delayed or prohibited from boarding a flight to appeal and ask the government to correct its records.

Secure Flight is one example of the use of "watch lists" consisting of names of suspected terrorists. Watch lists are also used in issuing visas and in making employment decisions for certain jobs. The Terrorist Screening Data Base, maintained by the FBI, is the main source of watchlist information and is used not only by federal agencies but also by state and local police. A separate list maintained by the Office of Foreign Asset Control (OFAC) is widely used by private businesses to screen customers and job applicants. There are still not adequate rules for accuracy nor sufficient mechanisms for redress, so that individuals wrongly accused of being involved with terrorism can get off the lists. There is ongoing debate about what private and public organizations can have access to the lists and what purposes they can be used for.

Data mining is the use of computer tools to extract useful knowledge from large sets of data. "Link analysis" is a form of data mining that seeks to identify the associates of a known or suspected terrorist. "Pattern-based" data mining does not begin with particularized suspicion about a person. Rather, it can involve searching through large databases containing transactional information on the everyday activities of millions of people in order to find patterns that might predict future conduct. Advances in technology and changes in the law have made it possible for the government to retrieve, share and analyze mountains of data about formerly intimate details of a person's life, but it has never been shown that pattern-based data mining can identify terrorists.

When used in the counter-terrorism context, data mining can pose a significant threat to the civil liberties of people who innocently engage in conduct that fits a pattern that has been associated with terrorism. Being mistakenly identified as a possible terrorist can result in devastating consequences such as arrest, deportation or loss of a job.

Data mining should be deployed as an anti-terrorism tool only in circumstances where it has been proven effective and appropriate safeguards have been put in place to protect the privacy and due process rights of individuals.

In 2003, Congress stopped funding for a massive data mining program called "Total Information Awareness." Conceived at the Department of Defense, TIA was intended to develop techniques for analyzing financial, communications, and travel information in order to identify terrorists and predict terrorist attacks. Though TIA itself was de-funded, activities that were part of the project were continued under the auspices of other agencies.

It has long been recognized that processes for issuing driver's licenses and ID cards in the United States need to be improved. However, the solution being pursued ? known as ?REAL ID? — raises serious privacy and security concerns. In 2005, Congress passed the REAL ID Act as a rider on must-pass legislation; the Act received little debate or hearings. It set nationwide standards for state driver's licenses and directed the Department of Homeland Security (DHS) to issue implementing regulations.

While the REAL ID Act created a de facto national ID card for over 240 million American citizens, neither the Act nor the regulations issued by DHS place any limits on the permissible uses of the REAL ID card. Moreover, the legislations issued by DHS mandated that REAL ID cards have a standardized, unencrypted machine-readable zone that could facilitate intrusive tracking by both government and commercial entities. As of October 2008, DHS had not adopted meaningful privacy and security standards for the protection of personal information stored in the REAL ID system.

State governments have shown resistance to the REAL ID program. As of the end of July 2008, 11 states had passed laws barring REAL ID compliance, and an additional 10 states had formally expressed displeasure with REAL ID (e.g., with non-binding resolutions). The federal government granted all states extensions in complying with REAL ID, pushing resolution of the issue to 2009 or later.

Consumer Privacy

Behavioral Advertising

The practice of behavioral advertising – the collection and aggregation of consumers' Web browsing activities for the purpose of serving them targeted advertisements – has grown in recent years. In the past, data was collected through cookies and was aggregated by advertising networks that collect user data across many different sites. Recently, advertisers have been experimenting with new mechanisms, such as deep packet inspection (DPI), to develop more detailed user profiles. Behavioral advertising presents significant privacy risks in large part because consumers are unaware of the practice and thus cannot protect themselves.

In 2008, Charter Communications, a major broadband Internet provider, announced plans to allow an advertising firm, NebuAd, to collect data on its users through DPI. After criticism from consumers and policymakers, Charter reversed course. In 2008, Congress held hearings on behavioral advertising but took no legislative action.

"Spyware" refers to a broad range of software that gets loaded onto personal computers and is used to deliver unwanted pop-up ads or even to steal sensitive information. Those programs create privacy problems and open security holes, they can hurt the performance and stability of computers, and they can confuse users as to why their computers are not functioning properly.

The Federal Trade Commission has brought action against some notorious distributors of spyware. Congress has considered various proposals to combat the "spyware" problem, but has not enacted any new legislation. CDT has organized the Anti-Spyware Coalition and has participated in the Stop Badware project.

In December 2003, Congress passed the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003, known as the "CAN-SPAM" Act. The Act, which took effect on January 1, 2004, created new penalties for sending deceptive spam advertising and imposed other obligations on commercial email. Senders of sexually oriented email are required to add special labels to the headers of such email. With the exception of the labeling requirement, which threatens First Amendment rights, CDT supported the core principles of CAN-SPAM.

Identity theft is a serious problem. Policymakers have struggled to find solutions. In 2003, Congress adopted the Fair and Accurate Credit Transactions Act, which modified the Fair Credit Reporting Act to give consumers the ability to put fraud alerts in their credit files if they have been victims of identity theft. Also, in order to reduce the exposure of credit card numbers, the Act required merchants to print no more than five digits of the number on receipts. In 2004, the Identity Theft Penalty Enhancement Act was adopted, increasing prison sentences for using stolen credit card numbers, Social Security numbers, and other personal information to commit crimes.

One source of the identity fraud problem arises at the state level, where security holes at state departments of motor vehicles (DMV) have allowed criminals to obtain drivers licenses under false pretenses. CDT has long recommended that the federal government should monitor state DMV security problems, impose penalties on state DMV officers who accept bribes to issue licenses, and implement pilot programs for security.

Technologies Posing Privacy Risks in Both Governmental and Consumer Contexts

Location Tracking

Increasingly, as we go about our daily lives, data is being collected about our location and movements. One nearly pervasive source of this data is our cell phones, which transmit our location every minute to our cell phone service provider.

More precise location is available with the Global Positioning System (GPS) technology. GPS capabilities have been added to products ranging from cell phones to in-car navigation systems to digital cameras.

In addition to consumer demand, the development of location features has been hastened by mandates designed to improve the 911 emergency calling system. Under rules issued by the Federal Communications Commission, mobile telephones must have a location capability that allows 911 operators to determine the position of callers when they are in emergency situations.

While there are obvious consumer and public benefits to location technologies, there are privacy concerns.

On the consumer side, there are some important protections in place. Advertisers are seeking access to location information generated by mobile devices. They want to serve up advertisements to people based on location – the nearest coffee shop, for example. Legislation adopted in May 1999 requires cell phone companies to obtain prior explicit user consent before using or disclosing location information for marketing purposes. However, third party application providers are not subject to any limits. Operators of automatic toll-paying systems are probably subject only to state law protections, which vary.

Law enforcement agencies are increasingly seeking access to location information generated by cellular telephones. The government can obtain historical location information about where a person's mobile device was over a period of time in the past, and it can require cell phone companies to intercept location information in real time. The standards for law enforcement access to location information are uncertain because the law that should govern such access is out of date.

Biometrics refers to the analysis of physical human characteristics such as voice and fingerprints for identification purposes. Technologies that use biometric identifiers have drawn increasing attention from government agencies and private companies seeking more secure forms of identification. There has been particular interest in incorporating more advanced biometric verification into government-issued documents such as visas and passports.

While biometric identifiers hold great potential, they also carry unique privacy concerns. The same aspects of biometrics that make them so convenient (their permanence) make the risks of collecting and storing the information much greater. A victim of identity theft can get a new Social Security number, but not new fingerprints. Biometric identifiers may also be easier to gather without a person's permission or knowledge.

Both the public and private sectors have expressed interest in adopting authentication systems, which allow for online verification of identity or authorization. In the public sector, these systems will allow for the government to better meet the needs of the citizens. In the private sector, they can facilitate e-commerce and enhance security and trust. However, many authentication systems will collect and share personal information, raising privacy and security concerns.

The Authentication Privacy Principles Working Group, convened by CDT, issued in 2003 an Interim report, which describes how organizations can use authentication to perform services without comprising privacy. The guidelines encourage organizations to provide notice; obtain consent; limit the amount of information collected, stored, and shared; and provide accountability.

Radio Frequency Identification Devices

Radio frequency identification devices (RFIDs) are microchips that store and transmit a unique identifier and other information. They can be embedded into consumer products and used by manufacturers to track goods through the supply chain. The tags come in two forms, passive and active. The passive (battery-less) tags have a lower read-range than active tags. While there is no privacy concern with a business using RFID technology to track its goods before they are sold, important privacy issues arise if the devices are not removed upon purchase.

Governments are also taking up RFID technology, in ways that raise serious privacy concerns. Since August 2007, all new U.S. passports have contained RFID chips, and in 2008 the State Department began including RFID chips in ?passport cards? used for land travel and sea travel to Canada, Mexico and the Caribbean.